<?php
/*
  * This file is part of the Record of processing activities project.
  * Its original location is https://github.com/Safran/RoPA
  * 
  * SPDX-License-Identifier: GPL-3.0-only
  */


//This is variable is an example - Just make sure that the urls in the 'idp' config are ok.
$idp_host = env('SAML2_IDP_HOST', 'http://localhost:8000/simplesaml');

return $settings = [

	/**
	 * If 'useRoutes' is set to true, the package defines five new routes:
	 *
	 *    Method | URI                      | Name
	 *    -------|--------------------------|------------------
	 *    POST   | {routesPrefix}/acs       | saml_acs
	 *    GET    | {routesPrefix}/login     | saml_login
	 *    GET    | {routesPrefix}/logout    | saml_logout
	 *    GET    | {routesPrefix}/metadata  | saml_metadata
	 *    GET    | {routesPrefix}/sls       | saml_sls
	 */
	'useRoutes' => true,

	'routesPrefix'                 => '/saml2',

	/**
	 * which middleware group to use for the saml routes
	 * Laravel 5.2 will need a group which includes StartSession
	 */
	'routesMiddleware'             => [ 'saml2' ],

	/**
	 * Indicates how the parameters will be
	 * retrieved from the sls request for signature validation
	 */
	'retrieveParametersFromServer' => false,

	/**
	 * Where to redirect after logout
	 */
	'logoutRoute'                  => '/',

	/**
	 * Where to redirect after login if no other option was provided
	 */
	'loginRoute'                   => '/',

	/**
	 * Where to redirect after login if no other option was provided
	 */
	'errorRoute'                   => '/',

	/*****
	 * One Login Settings
	 */

	// If 'strict' is True, then the PHP Toolkit will reject unsigned
	// or unencrypted messages if it expects them signed or encrypted
	// Also will reject the messages if not strictly follow the SAML
	// standard: Destination, NameId, Conditions ... are validated too.
	'strict'                       => true, //@todo: make this depend on laravel config

	// Enable debug mode (to print errors)
	'debug'                        => env('APP_DEBUG', false),

	// If 'proxyVars' is True, then the Saml lib will trust proxy headers
	// e.g X-Forwarded-Proto / HTTP_X_FORWARDED_PROTO. This is useful if
	// your application is running behind a load balancer which terminates
	// SSL.
	'proxyVars'                    => false,

	// Service Provider Data that we are deploying
	'sp'                           => [

		// Specifies constraints on the name identifier to be used to
		// represent the requested subject.
		// Take a look on lib/Saml2/Constants.php to see the NameIdFormat supported
		/**
		 * Know possibility :
		 *
		 */
		'NameIDFormat'             => env('SAML2_SP_NAMEIDFORMAT', 'urn:oasis:names:tc:SAML:2.0:nameid-format:persistent'),

		// Usually x509cert and privateKey of the SP are provided by files placed at
		// the certs folder. But we can also provide them with the following parameters
		'x509cert'                 => env('SAML2_SP_x509', ''),
		'privateKey'               => env('SAML2_SP_PRIVATEKEY', ''),

		// Identifier (URI) of the SP entity.
		// Leave blank to use the 'saml_metadata' route.
		'entityId'                 => env('SAML2_SP_ENTITYID', ''),

		// Specifies info about where and how the <AuthnResponse> message MUST be
		// returned to the requester, in this case our SP.
		'assertionConsumerService' => [
			// URL Location where the <Response> from the IdP will be returned,
			// using HTTP-POST binding.
			// Leave blank to use the 'saml_acs' route
			'url' => '',
		],
		// Specifies info about where and how the <Logout Response> message MUST be
		// returned to the requester, in this case our SP.
		// Remove this part to not include any URL Location in the metadata.
		'singleLogoutService'      => [
			// URL Location where the <Response> from the IdP will be returned,
			// using HTTP-Redirect binding.
			// Leave blank to use the 'saml_sls' route
			'url' => '',
		],

		'attributeConsumingService' => [
			'serviceName'         => env('SAML2_SP_SERVICE_NAME', 'samlidp.io'),
			'serviceDescription'  => env('SAML2_SP_SERVICE_DESCRIPTION', 'samlidp.io'),
			'requestedAttributes' => [
				[
					'nameFormat'   => \OneLogin\Saml2\Constants::ATTRNAME_FORMAT_URI,
					'isRequired'   => true,
					'name'         =>  env('SAML2_SP_DISPLAY_UID_ATTRIBUTE','urn:oid:2.5.4.4'),
					'friendlyName' => 'uid'
				],
				[
					'nameFormat'   => \OneLogin\Saml2\Constants::ATTRNAME_FORMAT_URI,
					'isRequired'   => true,
					'name'         => env('SAML2_SP_DISPLAY_LASTNAME_ATTRIBUTE','urn:oid:2.16.840.1.113730.3.1.241'),
					'friendlyName' => 'lastname'
				],
				[
					'nameFormat'   => \OneLogin\Saml2\Constants::ATTRNAME_FORMAT_URI,
					'isRequired'   => true,
					'name'         =>  env('SAML2_SP_DISPLAY_FIRSTNAME_ATTRIBUTE','urn:oid:2.5.4.42'),
					'friendlyName' => 'firstname'
				],
				[
					'nameFormat'   => \OneLogin\Saml2\Constants::ATTRNAME_FORMAT_URI,
					'isRequired'   => true,
					'name'         =>  env('SAML2_SP_DISPLAY_MAIL_ATTRIBUTE','urn:oid:0.9.2342.19200300.100.1.3'),
					'friendlyName' => 'mail'
				],
				[
					'nameFormat'   => \OneLogin\Saml2\Constants::ATTRNAME_FORMAT_URI,
					'isRequired'   => false,
					'name'         =>  env('SAML2_SP_DISPLAY_COMPANY_ATTRIBUTE','urn:oid:2.19200300.5.4.4'),
					'friendlyName' => 'company'
				],
			]
		],
	],

	// Identity Provider Data that we want connect with our SP
	'idp'                          => [
		// Identifier of the IdP entity  (must be a URI)
		'entityId'            => env('SAML2_IDP_ENTITYID', $idp_host . '/saml2/idp/metadata.php'),
		// SSO endpoint info of the IdP. (Authentication Request protocol)
		'singleSignOnService' => [
			// URL Target of the IdP where the SP will send the Authentication Request Message,
			// using HTTP-Redirect binding.
			'url' => env('SAML2_SINGLE_SIGN_ON_SERVICE_URI', $idp_host . '/saml2/idp/SSOService.php'),
		],
		// SLO endpoint info of the IdP.
		'singleLogoutService' => [
			// URL Location of the IdP where the SP will send the SLO Request,
			// using HTTP-Redirect binding.
			'url' => env('SAML2_SINGLE_LOGOUT_SERVICE_URI', $idp_host . '/saml2/idp/SingleLogoutService.php'),
		],
		// Public x509 certificate of the IdP
		'x509cert'            => env('SAML2_IDP_x509',
			'MIID / TCCAuWgAwIBAgIJAI4R3WyjjmB1MA0GCSqGSIb3DQEBCwUAMIGUMQswCQYDVQQGEwJBUjEVMBMGA1UECAwMQnVlbm9zIEFpcmVzMRUwEwYDVQQHDAxCdWVub3MgQWlyZXMxDDAKBgNVBAoMA1NJVTERMA8GA1UECwwIU2lzdGVtYXMxFDASBgNVBAMMC09yZy5TaXUuQ29tMSAwHgYJKoZIhvcNAQkBFhFhZG1pbmlAc2l1LmVkdS5hcjAeFw0xNDEyMDExNDM2MjVaFw0yNDExMzAxNDM2MjVaMIGUMQswCQYDVQQGEwJBUjEVMBMGA1UECAwMQnVlbm9zIEFpcmVzMRUwEwYDVQQHDAxCdWVub3MgQWlyZXMxDDAKBgNVBAoMA1NJVTERMA8GA1UECwwIU2lzdGVtYXMxFDASBgNVBAMMC09yZy5TaXUuQ29tMSAwHgYJKoZIhvcNAQkBFhFhZG1pbmlAc2l1LmVkdS5hcjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMbzW / EpEv + qqZzfT1Buwjg9nnNNVrxkCfuR9fQiQw2tSouS5X37W5h7RmchRt54wsm046PDKtbSz1NpZT2GkmHN37yALW2lY7MyVUC7itv9vDAUsFr0EfKIdCKgxCKjrzkZ5ImbNvjxf7eA77PPGJnQ / UwXY7W + cvLkirp0K5uWpDk + nac5W0JXOCFR1BpPUJRbz2jFIEHyChRt7nsJZH6ejzNqK9lABEC76htNy1Ll / D3tUoPaqo8VlKW3N3MZE0DB9O7g65DmZIIlFqkaMH3ALd8adodJtOvqfDU / A6SxuwMfwDYPjoucykGDu1etRZ7dF2gd + W + 1Pn7yizPT1q8CAwEAAaNQME4wHQYDVR0OBBYEFPsn8tUHN8XXf23ig5Qro3beP8BuMB8GA1UdIwQYMBaAFPsn8tUHN8XXf23ig5Qro3beP8BuMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAGu60odWFiK + DkQekozGnlpNBQz5lQ / bwmOWdktnQj6HYXu43e7sh9oZWArLYHEOyMUekKQAxOK51vbTHzzw66BZU91 / nqvaOBfkJyZKGfluHbD0 / hfOl / D5kONqI9kyTu4wkLQcYGyuIi75CJs15uA03FSuULQdY / Liv + czS / XYDyvtSLnu43VuAQWN321PQNhuGueIaLJANb2C5qq5ilTBUw6PxY9Z + vtMjAjTJGKEkE / tQs7CvzLPKXX3KTD9lIILmX5yUC3dLgjVKi1KGDqNApYGOMtjr5eoxPQrqDBmyx3flcy0dQTdLXud3UjWVW3N0PYgJtw5yBsS74QTGD4 = '),
		/*
		 *  Instead of use the whole x509cert you can use a fingerprint
		 *  (openssl x509 -noout -fingerprint -in "idp.crt" to generate it)
		 */
		'certFingerprint'     => 'SHA1 Fingerprint = C9:DE:5D:F6:10:99:B0:5A:12:B2:CC:7D:1D:F7:38:D6:58:D5:A2:95',
	],

	/***
	 *
	 *  OneLogin advanced settings
	 *
	 *
	 */
	// Security settings
	'security'                     => [

		/** signatures and encryptions offered */

		// Indicates that the nameID of the <samlp:logoutRequest> sent by this SP
		// will be encrypted.
		'nameIdEncrypted'       => true,

		// Indicates whether the <samlp:AuthnRequest> messages sent by this SP
		// will be signed.              [The Metadata of the SP will offer this info]
		'authnRequestsSigned'   => false,

		// Indicates whether the <samlp:logoutRequest> messages sent by this SP
		// will be signed.
		'logoutRequestSigned'   => false,

		// Indicates whether the <samlp:logoutResponse> messages sent by this SP
		// will be signed.
		'logoutResponseSigned'  => false,

		/* Sign the Metadata
		 False || True (use sp certs) || array (
													keyFileName => 'metadata . key',
													certFileName => 'metadata . crt'
												)
		*/
		'signMetadata'          => false,

		/** signatures and encryptions required **/

		// Indicates a requirement for the <samlp:Response>, <samlp:LogoutRequest> and
		// <samlp:LogoutResponse> elements received by this SP to be signed.
		'wantMessagesSigned'    => false,

		// Indicates a requirement for the <saml:Assertion> elements received by
		// this SP to be signed.        [The Metadata of the SP will offer this info]
		'wantAssertionsSigned'  => false,

		// Indicates a requirement for the NameID received by
		// this SP to be encrypted.
		'wantNameIdEncrypted'   => false,

		// Authentication context.
		// Set to false and no AuthContext will be sent in the AuthNRequest,
		// Set true or don't present thi parameter and you will get an AuthContext 'exact' 'urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport'
		// Set an array with the possible auth context values: array ('urn:oasis:names:tc:SAML:2.0:ac:classes:Password', 'urn:oasis:names:tc:SAML:2.0:ac:classes:X509'),
		'requestedAuthnContext' => false,
	],

	// Contact information template, it is recommended to suply a technical and support contacts
	'contactPerson'                => [
		'technical' => [
			'givenName'    => 'name',
			'emailAddress' => 'no@reply.com'
		],
		'support'   => [
			'givenName'    => 'Support',
			'emailAddress' => 'no@reply.com'
		],
	],

	// Organization information template, the info in en_US lang is recommended, add more if required
	'organization'                 => [
		'en-US' => [
			'name'        => 'Name',
			'displayname' => 'Display Name',
			'url'         => 'http://url'
		],
	],
	/* Interoperable SAML 2.0 Web Browser SSO Profile [saml2int]   http://saml2int.org/profile/current

	   'authnRequestsSigned' => false,    // SP SHOULD NOT sign the <samlp:AuthnRequest>,
										  // MUST NOT assume that the IdP validates the sign
	   'wantAssertionsSigned' => true,
	   'wantAssertionsEncrypted' => true, // MUST be enabled if SSL/HTTPs is disabled
	   'wantNameIdEncrypted' => false,
	*/
];
